一、Saltstack的基本概述
SaltStack
是一个异构平台基础设施管理工具,具有远程执行、配置管理、云管理, 只需要花费数分钟即可运行起来,扩展性组以支撑管理上万台服务器,速度快,服务器之间秒级通讯数秒钟即可完成数据传递。
1.1、saltstack三大功能
- 远程执行
- 配置管理(状态)
- 云管理
1.2、saltstack四种运行方式
- local本地运行
- master/minion方式
- Syndic分布式
- Salt SSH
1.3、saltstack学习网址
- Saltstack官方文档:https://docs.saltstack.com/en/latest/
- Saltstack github:https://github.com/saltstack
二、saltstack安装
2.1、配置yum源
centos7:yum install -y https://mirrors.aliyun.com/saltstack/yum/redhat/salt-repo-latest-2.el7.noarch.rpm centos6:yum install -y https://repo.saltstack.com/yum/redhat/salt-repo-latest.el6.noarch.rpm sed -i "s/repo.saltstack.com/mirrors.aliyun.com/saltstack/g" /etc/yum.repos.d/salt-latest.repo yum makecache
2.1、安装master并启动服务
[root@salt-master ~]# yum install salt-master -y [root@salt-master ~]# systemctl enable salt-master [root@salt-master ~]# systemctl start salt-master [root@salt-master ~]# rpm -qa|grep salt-master salt-master-2019.2.0-1.el7.noarch [root@salt-master ~]# rpm -ql salt-master /etc/salt/master /etc/salt/master.d /etc/salt/pki/master /usr/bin/salt /usr/bin/salt-cp /usr/bin/salt-key /usr/bin/salt-master /usr/bin/salt-run /usr/bin/salt-unity /usr/lib/systemd/system/salt-master.service /usr/share/man/man1/salt-cp.1.gz /usr/share/man/man1/salt-key.1.gz /usr/share/man/man1/salt-master.1.gz /usr/share/man/man1/salt-run.1.gz /usr/share/man/man1/salt-unity.1.gz /usr/share/man/man1/salt.1.gz /usr/share/man/man7/salt.7.gz
2.3、安装minion指向master的网络地址(主机名或ip地址)
[root@salt-minion1-c7 ~]# yum install salt-minion -y [root@salt-minion1-c7 ~]# sed -i 's/#master: salt/master: 10.0.0.11/g' /etc/salt/minion [root@salt-minion1-c7 ~]# systemctl enable salt-minion [root@salt-minion1-c7 ~]# systemctl start salt-minion #启动发生异常查看日志 /var/log/salt/master /var/log/salt/minion
对于centos6启动:
[root@salt-minion4-c6 yum.repos.d]# /etc/init.d/salt-minion start Starting salt-minion:root:salt-minion4-c6 daemon: OK [root@salt-minion4-c6 yum.repos.d]# chkconfig salt-minion on [root@salt-minion4-c6 yum.repos.d]# chkconfig --list|grep salt salt-minion 0:off 1:off 2:on 3:on 4:on 5:on 6:off
2.4、saltstack的认证方式
Salt的数据传输是通过AES加密,Master和Minion之间在通信之前,需要进行认证。
1)minion在第一次启动时, 会在/etc/salt/pki/minion/下自动生成minion.pem(private key)和minion.pub(public key)然后将minion.pub发送给master
2)master在第一次启动时, 会在/etc/salt/pki/master下自动生成master.pem和master.pub会接收到minion的public key
3)master通过salt-key命令接收minion public key, 则会在master的/etc/salt/pki/master/minions目录下存放以minion id命名的public key同时minion会保存一份master public key在/etc/salt/pki/minion_master.pub
#在minion上查看 [root@salt-minion1-c7 ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d ├── minion_id ├── pki │ ├── master │ └── minion │ ├── minion.pem #minion的私钥 │ └── minion.pub #minion的公钥 ├── proxy ├── proxy.d └── roster #在master查看 [root@salt-master ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d ├── pki │ ├── master │ │ ├── master.pem │ │ ├── master.pub │ │ ├── minions │ │ ├── minions_autosign │ │ ├── minions_denied │ │ ├── minions_pre #minion传送过来的公钥 │ │ │ ├── salt-minion1-c7 │ │ │ ├── salt-minion2-c7 │ │ │ ├── salt-minion3-c7 │ │ │ └── salt-minion4-c6 │ │ └── minions_rejected │ └── minion ├── proxy ├── proxy.d └── roster 16 directories, 11 files [root@salt-master ~]# cat /etc/salt/pki/master/minions_pre/salt-minion1-c7 -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWS46MVCSFG/acTB+5t7 q6Y+rCBRwjwg5YmyKhTF1C61U2Uy/ROhQ2kt3fZlx95UzXKDideqR9R7WdK/fQuF E/UUbDh6afDsMq1YgF33cao1HDhdHiwE7V+em4ihuKsMuZGygn5p5ivgKtbLcD7M OVPMijdnYVX2hP5A0ClD2Ed0Ipezw+ubs859Ztyw3TwpW4cXv+U4GXCtfkLfzUJM 5l40IFmdvxUiMnjYuHNxrrVpq5cub2fIMhSTSyoZJaqHc3AJqLnUPzXhTRHLuh1r +ne/bT1iVA3w+XiQC0EM1uwpFo57CRr4dTw6/UAoQWZ0phPEjCFPZSsvWWTWRJNq 4QIDAQAB -----END PUBLIC KEY----- #master通过salt-key认证 [root@salt-master ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Rejected Keys: [root@salt-master ~]# salt-key -A The following keys are going to be accepted: Unaccepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Proceed? [n/Y] Y Key for minion salt-minion1-c7 accepted. Key for minion salt-minion2-c7 accepted. Key for minion salt-minion3-c7 accepted. Key for minion salt-minion4-c6 accepted. [root@salt-master ~]# salt-key -L Accepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Denied Keys: Unaccepted Keys: Rejected Keys: #在minion端查看 [root@salt-minion1-c7 ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d │ └── _schedule.conf ├── minion_id ├── pki │ ├── master │ └── minion │ ├── minion_master.pub #master的公钥 │ ├── minion.pem │ └── minion.pub ├── proxy ├── proxy.d └── roster #在master上查看 [root@salt-master ~]# tree /etc/salt/ /etc/salt/ ├── cloud ├── cloud.conf.d ├── cloud.deploy.d ├── cloud.maps.d ├── cloud.profiles.d ├── cloud.providers.d ├── master ├── master.d ├── minion ├── minion.d ├── pki │ ├── master │ │ ├── master.pem │ │ ├── master.pub │ │ ├── minions #minion的公钥路径由minions_pre变为minions │ │ │ ├── salt-minion1-c7 │ │ │ ├── salt-minion2-c7 │ │ │ ├── salt-minion3-c7 │ │ │ └── salt-minion4-c6 │ │ ├── minions_autosign │ │ ├── minions_denied │ │ ├── minions_pre │ │ └── minions_rejected │ └── minion ├── proxy ├── proxy.d └── roster
salt-key命令使用
[root@salt-master ~]# salt-key -L Accepted Keys: Denied Keys: Unaccepted Keys: salt-minion1-c7 salt-minion2-c7 salt-minion3-c7 salt-minion4-c6 Rejected Keys: #salt-key的常用参数 -L #查看KEY状态 -A #允许所有 -D #删除所有 -a #认证指定的key -d #删除指定的key(可以重启minion重新认证) -r #注销掉指定key(该状态为未被认证),配置参数--include-accepted,--include-denied #在master端/etc/salt/master配置 auto_accept: True #如果对Minion信任,可以配置master自动接受请求 #添加指定minion的key salt-key -a salt1-minion.example.com -y #添加所有minion的key salt-key -A -y #删除指定的key salt-key -d salt1-minion.example.com -y #删除所有的key salt-key -D -y #拒绝指定minion的key salt-key -r salt-minion4-c6 --include-accepted
三、saltstack远程执行命令
3.1、检测minion是否存活
[root@salt-master ~]# salt '*' test.ping salt-minion1-c7: True salt-minion2-c7: True salt-minion3-c7: True salt-minion4-c6: True [root@salt-master ~]# salt 'salt-minion1-c7' test.ping salt-minion1-c7: True [root@salt-master ~]# salt 'salt-minion?-c7' test.ping [root@salt-master ~]# salt 'salt-minion*' test.ping #salt是一个命令 # '*' 表示目标主机,可以指定特定的主机,也可以包含通配符 #test.ping表示一个模块下的方法
3.2、使用cmd.run来远程执行shell命令
[root@salt-master ~]# salt '*' cmd.run 'uptime' salt-minion4-c6: 04:47:33 up 2:07, 2 users, load average: 0.00, 0.00, 0.00 salt-minion3-c7: 20:48:09 up 2:07, 2 users, load average: 0.00, 0.01, 0.05 salt-minion1-c7: 20:48:09 up 2:07, 2 users, load average: 0.00, 0.01, 0.05 salt-minion2-c7: 20:48:09 up 2:07, 2 users, load average: 0.00, 0.01, 0.05 [root@salt-master ~]# salt 'salt-minion3-c7' cmd.run 'uptime' salt-minion3-c7: 20:48:20 up 2:07, 2 users, load average: 0.00, 0.01, 0.05
四、saltstack配置管理
saltstack使用yaml格式的状态描述文件,后缀名必须是.sls
4.1、yaml的基本语法
YAML: 1.缩进(层级关系) 2个空格,不能试用Tab。 2.冒号 key: value #中间有空格 3.短横线 - list1 - list2
4.2、设置base环境
[root@salt-master ~]# vim /etc/salt/master # file_roots: #配置文件示例 # base: # - /srv/salt/ # dev: # - /srv/salt/dev/services # - /srv/salt/dev/states # prod: # - /srv/salt/prod/services # - /srv/salt/prod/states # file_roots: base: - /srv/salt [root@salt-master ~]# systemctl restart salt-master.service
4.3、编写yaml配置文件
[root@salt-master ~]# mkdir -p /srv/salt/app [root@salt-master ~]# cd /srv/salt/app [root@salt-master app]# cat apache.sls apache-install: pkg.installed: - name: httpd apache-start: service.running: - name: httpd: - enable: True [root@salt-master app]# cat vsftpd.sls vsftpd-install: pkg.installed: - name: vsftpd vsftpd-start: service.running: - name: vsftpd - enable: True [root@salt-master app]# cat nginx.sls nginx-install: pkg.installed: - name: nginx nginx-start: service.running: - name: nginx - enable: True
4.4、使用salt命令的state状态模块让minion应用配置
[root@salt-master app]# salt '*' state.sls app.vsftpd [root@salt-master app]# salt 'salt-minion1-c7' state.sls app.apache salt-minion1-c7: ---------- ID: apache-install Function: pkg.installed Name: httpd Result: True Comment: The following packages were installed/updated: httpd Started: 22:00:16.727956 Duration: 5249.691 ms Changes: ---------- httpd: ---------- new: 2.4.6-89.el7.centos old: httpd-tools: ---------- new: 2.4.6-89.el7.centos old: mailcap: ---------- new: 2.1.41-2.el7 old: ---------- ID: apache-start Function: service.running Name: httpd Result: True Comment: Service httpd has been enabled, and is running Started: 22:00:22.840059 Duration: 642.933 ms Changes: ---------- httpd: True Summary for salt-minion1-c7 ------------ Succeeded: 2 (changed=2) Failed: 0 ------------ Total states run: 2 Total run time: 5.893 s
4.5、需求:不同的主机使用不同的配置 ==>使用salt高级状态模块
需要编写topfile,而且topfile必须放置在base环境中,本环境的base设置在/srv/salt
[root@salt-master salt]# cat top.sls #base: # '*': # - app.vsftpd #base: # 'salt-minion*': # - app.apache base: 'salt-minion1-c7': - app.nginx 'salt-minion2-c7': - app.nginx 'salt-minion3-c7': - app.apache - app.vsftpd 'salt-minion4-c6': - app.vsftpd [root@salt-master salt]# salt '*' state.highstate
当正式执行之前我们可以干跑测试一下,没问题后在执行
[root@salt-master salt]# salt '*' state.highstate test=true
五、saltstack消息队列
SaltStack
底层是基于ZeroMQ
进行高效的网络通信,ZeroMQ
支持Publish/Subscribe
即发布与订阅模式,我们经常简称Pub/Sub。
[root@salt-master salt]# netstat -lntup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1138/sshd tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN 26086/salt-master Z tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN 26092/salt-master M tcp6 0 0 :::22 :::* LISTEN 1138/sshd udp 0 0 127.0.0.1:323 0.0.0.0:* 562/chronyd udp6 0 0 ::1:323 :::* 562/chronyd
master上运行着两种网络服务:
1)ZeroMQ PUB 消息发布与订阅系统,监听4505(可以修改/etc/salt/master配置文件的publish_port参数设置端口),主要用于master对minion发布命令
[root@salt-master salt]# lsof -ni:4505 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME /usr/bin/ 26086 root 16u IPv4 77189 0t0 TCP *:4505 (LISTEN) /usr/bin/ 26086 root 18u IPv4 77811 0t0 TCP 10.0.0.11:4505->10.0.0.23:36192 (ESTABLISHED) /usr/bin/ 26086 root 19u IPv4 78053 0t0 TCP 10.0.0.11:4505->10.0.0.22:56022 (ESTABLISHED) /usr/bin/ 26086 root 20u IPv4 80352 0t0 TCP 10.0.0.11:4505->10.0.0.24:46243 (ESTABLISHED) /usr/bin/ 26086 root 21u IPv4 80354 0t0 TCP 10.0.0.11:4505->10.0.0.21:40330 (ESTABLISHED)
2)ZeroMQ REP
系统(Request-Reply
请求与响应模式),默认就监听4606(可以修改/etc/salt/master配置文件的ret_port参数设置),主要用于master接受minion执行后的返回值
master上进程方式:
[root@salt-master ~]# ps aux | grep salt root 26071 0.0 4.1 389608 41244 ? Ss 21:49 0:00 /usr/bin/python /usr/bin/salt-master ProcessManager root 26081 0.0 2.0 326236 20376 ? S 21:49 0:00 /usr/bin/python /usr/bin/salt-master MultiprocessingLoggingQueue root 26086 0.0 3.4 470324 34832 ? Sl 21:49 0:00 /usr/bin/python /usr/bin/salt-master ZeroMQPubServerChannel root 26087 0.0 4.8 403536 48808 ? S 21:49 0:00 /usr/bin/python /usr/bin/salt-master EventPublisher root 26090 0.1 6.8 422092 68924 ? S 21:49 0:05 /usr/bin/python /usr/bin/salt-master Maintenance root 26091 0.0 3.5 389476 35112 ? S 21:49 0:00 /usr/bin/python /usr/bin/salt-master ReqServer_ProcessManager root 26092 0.0 3.6 766332 36104 ? Sl 21:49 0:00 /usr/bin/python /usr/bin/salt-master MWorkerQueue root 26093 0.0 5.7 573876 57520 ? Sl 21:49 0:01 /usr/bin/python /usr/bin/salt-master MWorker-0 root 26094 0.0 5.7 574856 57472 ? Sl 21:49 0:01 /usr/bin/python /usr/bin/salt-master MWorker-1 root 26101 0.0 5.8 575396 58768 ? Sl 21:49 0:01 /usr/bin/python /usr/bin/salt-master MWorker-2 root 26102 0.0 5.8 574860 58316 ? Sl 21:49 0:01 /usr/bin/python /usr/bin/salt-master MWorker-3 root 26103 0.0 5.5 491548 55980 ? Sl 21:49 0:01 /usr/bin/python /usr/bin/salt-master MWorker-4 root 26104 0.1 3.5 463340 35492 ? Sl 21:49 0:05 /usr/bin/python /usr/bin/salt-master FileserverUpdate root 30250 0.0 0.0 112660 972 pts/1 R+ 22:39 0:00 grep --color=auto salt
六、saltstack常用配置
6.1、master常用配置(/etc/salt/master)
interface: #指定bind 的地址(默认为0.0.0.0) publish_port: #指定发布端口(默认为4505) ret_port: #指定结果返回端⼝, 与minion配置文件中的master_port对应(默认为4506) user: #指定master进程的运行用户,如果调整, 则需要调整部分目录的权限(默认为root) timeout: #指定timeout时间, 如果minion规模庞大或网络状况不好,建议增大该值(默认5s) keep_jobs: #minion执行结果返回master, master会缓存到本地的cachedir目录,该参数指定缓存多长时间,可查看之间执行结果会占用磁盘空间(默认为24h) job_cache: #master是否缓存执行结果,如果规模庞⼤(超过5000台),建议使用其他方式来存储jobs,关闭本选项(默认为True) file_recv : #是否允许minion传送文件到master 上(默认是Flase) file_roots: #指定file server目录, 默认为: file_roots: base: - /srv/salt pillar_roots : #指定pillar目录, 默认为: pillar_roots: base: - /srv/pillar log_level: #日志级别,支持的日志级别有'garbage', 'trace', 'debug', info', 'warning', 'error', ‘critical ’ ( 默认为’warning’)
6.2、minion端常用配置(/etc/salt/minion)
master: #指定master 主机(默认为salt) master_port: #指定认证和执⾏结果发送到master的哪个端⼝, 与master配置⽂件中的ret_port对应(默认为4506) id: #指定本minion的标识, salt内部使⽤id作为标识(默认为主机名) user: #指定运⾏minion的⽤户.由于安装包,启动服务等操作需要特权⽤户, 推荐使⽤root( 默认为root) cache_jobs : #minion是否缓存执⾏结果(默认为False) backup_mode: #在⽂件操作(file.managed 或file.recurse) 时, 如果⽂件发⽣变更,指定备份目录.当前有效 providers : #指定模块对应的providers, 如在RHEL系列中, pkg对应的providers 是yumpkg5 renderer: #指定配置管理系统中的渲染器(默认值为:yaml_jinja ) file_client : #指定file clinet 默认去哪⾥(remote 或local) 寻找⽂件(默认值为remote) loglevel: #指定⽇志级别(默认为warning) tcp_keepalive : #minion 是否与master 保持keepalive 检查, zeromq3(默认为True)